[openstack-dev] [keystone] orchestration and db_sync
dolph.mathews at gmail.com
Tue May 31 13:46:12 UTC 2016
On Tue, May 31, 2016 at 8:41 AM David Stanek <dstanek at dstanek.com> wrote:
> On Fri, May 27, 2016 at 12:08 PM, Ryan Hallisey <rhallise at redhat.com>
> Theses changes do not all happen at the same times for an OpenStack
> > - Create the service's users and add a password into the databse
> Should only happen once during installation.
> > - Sync the service with the database
> Should happen during installation and for every upgrade.
> > - Start the service
> > I was wondering if for some services they could be aware of whether or
> not they need
> > to sync with the database at startup. Or maybe the service runs a
> db_sync every time
> > is starts? I figured I would start a thread about this because Keystone
> has some
> > flexibility when running N+1 in a cluster of N. If Keystone could have
> > that ability maybe Keystone could db_sync each time it starts without
> harming the
> > cluster?
> This isn't something I would want to see for a few reasons. The most
> important one is that I think the decision to run db_sync needs to be
> explicit. An operator should run it when they are ready (maybe they
> need to shut something down, ensure up-to-date backups, etc.).
> Another issue is database modification permissions. The user running
> the application, as well as the DB user the application uses,
> shouldn't have access to DML for security reasons. Little Bobby
> Tables' mom found this out the hard way.
> 1. https://xkcd.com/327/
> blog: http://www.traceback.org
> twitter: http://twitter.com/dstanek
> www: http://dstanek.com
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev